API keys must always be kept secret. The security becomes more critical if you are an app because if you include the API key as free form text and ship it, a hacker can spend some time to reverse engineer and obtain the key. Here is a good article on how to keep your API keys safe in an app.